[Newsclips] IETF SYN-ACK Newspack 2022-10-10

[David Goldstein <david@goldsteinreport.com>]

The IETF SYN-ACK Newspack collects IETF-related items from a variety of news outlets and other online publications. They do not represent the views of the IETF and are not checked for factual accuracy.

 

**********************

IETF IN THE NEWS

**********************

Warren Kumari to serve as IETF Liaison Manager to ISO/IEC JTC1 SC6

The IAB has appointed Warren Kumari to serve as the new IETF Liaison Manager to ISO/IEC JTC1 SC6. The IAB thanks Warren for agreeing to serve the community in this role.

< <https://www.iab.org/2022/10/03/warren-kumari-to-serve-as-ietf-liaison-manager-to-iso-iec-jtc1-sc6/> https://www.iab.org/2022/10/03/warren-kumari-to-serve-as-ietf-liaison-manager-to-iso-iec-jtc1-sc6/>

 

Team demonstrates that basic mechanism for internet security can be broken

... From a technical point of view, such attacks are usually based on prefix hijacks. They exploit a fundamental design problem of the internet: The determination of which IP address belongs to which network is not secured. To prevent any network on the internet from claiming IP address blocks they do not legitimately own, the IETF, the organization responsible for the internet, standardized the Resource Public Key Infrastructure, RPKI.

< <https://techxplore.com/news/2022-10-team-basic-mechanism-internet-broken.html> https://techxplore.com/news/2022-10-team-basic-mechanism-internet-broken.html>

 

A fundamental mechanism that secures the internet has been broken

Resource Public Key Infrastructure -- or RPKI -as it's better known -- is a security framework that is designed to prevent cybercriminals or rogue states from diverting internet traffic. National research center for Cybersecurity ATHENE says it has found a way to easily bypass this security mechanism, and in a way that means affected network operators are unable to notice. ... To prevent any network on the internet from claiming IP address blocks they do not legitimately own, the IETF, the organization responsible for the internet, standardized the Resource Public Key Infrastructure, RPKI.

< <https://betanews.com/2022/10/04/mechanism-that-secures-the-internet-broken/> https://betanews.com/2022/10/04/mechanism-that-secures-the-internet-broken/>

 

It's 2058. A quantum computer is just another decade away. Still, you curse Cloudflare

Cloudflare is the first major internet infrastructure provider to support post-quantum cryptography for all customers, which, in theory, should protect data if quantum computing ever manages to break today's encryption technologies. ... In their blog post, Westerbaan and Rubin pledged to post updates on Cloudflare's post-quantum key agreement support on pq.cloudflareresearch.com and announce it on the IETF PQC mailing list.

< <https://www.theregister.com/2022/10/03/cloudflare_postquantum_cryptography/> https://www.theregister.com/2022/10/03/cloudflare_postquantum_cryptography/>

 

ITU And The Future Of The Internet

... Bogdan-Martin is an ITU veteran with years of experience working with global telecoms regulators. She also believes that current internet governance models need not change and bodies like the IETF should be left to work on standards and technologies pertaining to the ‘net, and the ITU should do its thing regarding international co-operation.

< <https://www.thisdaylive.com/index.php/2022/10/05/itu-and-the-future-of-the-internet/> https://www.thisdaylive.com/index.php/2022/10/05/itu-and-the-future-of-the-internet/>

 

Automating Supply Chain Integrity

Recently, the IETF announced its Supply Chain Integrity Transparency and Trust (SCITT) initiative and emerging frameworks to come out of the initiative. One of those frameworks, MITRE’s supply chain “System of Trust,” is already available to help identify and score risk, while providing a common taxonomy for software, hardware and service providers.

< <https://shiftleft.grammatech.com/automating-supply-chain-integrity> https://shiftleft.grammatech.com/automating-supply-chain-integrity>

< <https://securityboulevard.com/2022/10/automating-supply-chain-integrity/> https://securityboulevard.com/2022/10/automating-supply-chain-integrity/>

 

Achtung: RPKI-Mechanismus für Internet-Sicherheit gebrochen! [Attention: RPKI mechanism for Internet security broken!]

... Um zu verhindern, dass ein Netz im Internet IP-Adressblöcke beansprucht, die ihm nicht rechtmäßig gehören, hat die IETF, die für das Internet zuständige Standardisierungsorganisation, die Ressource Public Key Infrastructure (RPKI) standardisiert. RPKI nutzt digital signierte Zertifikate, die bestätigen, dass ein bestimmter IP-Adressblock tatsächlich zu dem angegebenen Netz gehört. Mittlerweile haben, nach Messungen des ATHENE-Teams, knapp 40% aller IP-Adressblöcke ein RPKI-Zertifikat, und ca. 27% aller Netze prüfen diese Zertifikate.

< <https://www.it-daily.net/shortnews/achtung-rpki-mechanismus-fuer-internet-sicherheit-gebrochen> https://www.it-daily.net/shortnews/achtung-rpki-mechanismus-fuer-internet-sicherheit-gebrochen>

< <https://idw-online.de/de/news802352> https://idw-online.de/de/news802352>

 

El rastro que dejamos cuando usamos wifi aunque ni nos conectemos [The trail we leave when we use wifi even if we don't even connect]

... En la actualidad se está investigando el impacto que puede tener el uso de direcciones MAC aleatorias en las aplicaciones que usamos y en las redes a las que nos conectamos. Existen escenarios en los que es necesario que la red identifique a un dispositivo de forma anónima a pesar de que emplee direcciones aleatorias. Este es el objetivo del grupo de trabajo MADINAS del IETF, principal organismo de estandarización de protocolos de internet.

< <https://theconversation.com/el-rastro-que-dejamos-cuando-usamos-wifi-aunque-ni-nos-conectemos-176933> https://theconversation.com/el-rastro-que-dejamos-cuando-usamos-wifi-aunque-ni-nos-conectemos-176933>

< <https://www.elnortedecastilla.es/tecnologia/rastro-dejamos-usamos-20221003102613-ntrc.html> https://www.elnortedecastilla.es/tecnologia/rastro-dejamos-usamos-20221003102613-ntrc.html>

< <https://www.lanacion.com.ar/tecnologia/el-rastro-que-dejamos-cuando-usamos-wi-fi-aunque-ni-nos-conectemos-nid04102022/> https://www.lanacion.com.ar/tecnologia/el-rastro-que-dejamos-cuando-usamos-wi-fi-aunque-ni-nos-conectemos-nid04102022/>

< <https://www.telecinco.es/informativos/tecnologia/20221003/que-rastro-dejamos-usamos-red-wifi_18_07608827.html> https://www.telecinco.es/informativos/tecnologia/20221003/que-rastro-dejamos-usamos-red-wifi_18_07608827.html>

< <https://www.vozpopuli.com/tecnologia/tiene-sensacion-aplicaciones-telefono-espian.html> https://www.vozpopuli.com/tecnologia/tiene-sensacion-aplicaciones-telefono-espian.html>

 

Investigadores demostraron lo vulnerable que es el mecanismo básico para la seguridad en Internet [Researchers demonstrated how vulnerable the basic mechanism for Internet security is]

... Desde un punto de vista técnico, estos ataques suelen basarse en secuestros de prefijos. Explotan un problema de diseño fundamental de Internet: la determinación de qué dirección IP pertenece a qué red no está protegida. Para evitar que cualquier red en Internet reclame bloques de direcciones IP que no son de su propiedad legítima, el IETF, la organización responsable de Internet, estandarizó la Infraestructura de clave pública de recursos, RPKI.

< <https://eju.tv/2022/10/investigadores-demostraron-lo-vulnerable-que-es-el-mecanismo-basico-para-la-seguridad-en-internet/> https://eju.tv/2022/10/investigadores-demostraron-lo-vulnerable-que-es-el-mecanismo-basico-para-la-seguridad-en-internet/>

< <https://wwwhatsnew.com/2022/10/06/investigadores-demostraron-lo-vulnerable-que-es-el-mecanismo-basico-para-la-seguridad-en-internet/> https://wwwhatsnew.com/2022/10/06/investigadores-demostraron-lo-vulnerable-que-es-el-mecanismo-basico-para-la-seguridad-en-internet/>

 

Un groupe IBM, Vodafone et GSMA pour sécuriser les réseaux avec le quantique [An IBM, Vodafone and GSMA group to secure networks with quantum]

... Le GSMA Post-Quantum Telco Network Taskforce prévoit aussi de travailler avec des organismes comme l'IETF et le National Institute of Standards and Technology (NIST) des États-Unis. Et il y a beaucoup à faire. Le Forum économique mondial de Davos a récemment estimé que plus de 20 milliards d'appareils numériques devront être mis à niveau ou remplacés au cours des 10 à 20 prochaines années pour pouvoir utiliser les nouvelles formes de communication chiffrée pouvant résister à la puissance de calcul des technologies quantiques.

< <https://www.reseaux-telecoms.net/actualites/lire-un-groupe-ibm-vodafone-et-gsma-pour-securiser-les-reseaux-avec-le-quantique-28501.html> https://www.reseaux-telecoms.net/actualites/lire-un-groupe-ibm-vodafone-et-gsma-pour-securiser-les-reseaux-avec-le-quantique-28501.html>

 

VPN IPSec : tout ce que vous devez savoir sur cette fonctionnalité [IPSec VPN: Everything You Need to Know About This Feature]

... Normalisé en 1995 par l’IETF, le IPSec est un ensemble de protocoles de communication sécurisée spécialement conçu pour protéger les flux réseaux. Concrètement, cette fonctionnalité permet d’établir une communication privée et cryptée entre des entités distantes. Ceci, afin de sécuriser les données envoyées sur les réseaux publics et non sécurisées tout en authentifiant la provenance des paquets IP.

< <https://www.lebigdata.fr/vpn-ipsec-tout-savoir> https://www.lebigdata.fr/vpn-ipsec-tout-savoir>

 

Powstała grupa zadaniowa promująca bezpieczne sieci kwantowe [A task force was created to promote secure quantum networks]

... Grupa zadaniowa będzie musiała ustalić priorytety, które uważa za krytyczne, oraz opracować rozwiązania, które będą chronić przełączniki, urządzenia sieciowe i punkty końcowe. Grupa oczekuje też, że inne podmioty działające na tym rynku dołączą do jej wysiłków w zakresie ustanawiania standardów. Ma tu przede wszystkim na myśli takie organizacje, jak IETF oraz amerykański Narodowy Instytut Standardów i Technologii (NIST).

< <https://www.computerworld.pl/news/Powstala-grupa-zadaniowa-promujaca-bezpieczne-sieci-kwantowe,441515.html> https://www.computerworld.pl/news/Powstala-grupa-zadaniowa-promujaca-bezpieczne-sieci-kwantowe,441515.html>

 

パナソニック史上初のカーブアウトで独立、ソフト技術者がIoTで破ったハード重視の壁 [Panasonic's first-ever carve-out stand-alone hardware barrier broken by software engineers with IoT]

... 宮崎は1995年にパナソニックに入社し、携帯電話などの通信方式の検討やデータ通信用ソフトの開発を担当する部署に配属された。入社2年目からは自ら新しい通信規格の開発に取り組んだ。テレビ電話の先駆けとなる製品の開発にも携わり、自身が開発した通信規格を国際標準化団体のIETFに提案し標準化するなど実績を重ねた。

< <https://xtech.nikkei.com/atcl/nxt/column/18/01158/090600041/> https://xtech.nikkei.com/atcl/nxt/column/18/01158/090600041/>

 

کتاب استاندارد OAuth 2.0 با حمایت سنباد منتشر شد [Standard book OAuth 2.0 released with the support of Sinbad]

غزاله صدر / در سال ۲۰۰۸ گروه مهندسی اینترنت (IETF) کارگروهی تشکیل داد تا پروتکل OAuth را استانداردسازی و به استانداردهای خود اضافه کند. این کارگروه سرانجام در سال ۲۰۱۰ پروتکل OAuth 1.0 را در جایگاه استانداردی رسمی با کد RFC 5849 ارائه داد و از آن پس، تمام برنامه‌های کاربردی شخص ثالث توییتر ملزم به استفاده از آن شدند. این چارچوب استاندارد‌شده در سال ۲۰۱۲ با درنظرگرفتن الزامات توسعه‌پذیری و طبق آرای بخش گسترده‌‌ای از اعضای IETF با عنوان RFC 6749 منتشر شد و اکنون برگردان فارسی آن با عنوان «استاندارد OAuth 2.0» با حمایت سنباد و به همت انتشارات راه‌ پرداخت منتشر شده است.

< <https://way2pay.ir/290334/> https://way2pay.ir/290334/>

 

انتخابات اتحادیه بین‌المللی مخابرات: آمریکا برد، روسیه باخت، ایران اوت شد [International Telecommunication Union elections: U.S. wins, Russia loses, Iran loses August]

... علاوه بر این شرکت‌های دولتی چین و خود پکن، یک «IP جدید» را پیشنهاد داده‌اند که ظاهراً پاسخی به فقدان نوآوری در نحوه پردازش داده‌ها در پایین‌ترین سطوح اینترنت است. چین پیشنهاد کرده است برچسب‌گذاری بسته‌های داده بر اساس هدف مورد نظرشان می‌تواند مسیریابی داده‌ها را بهبود بخشد و تاخیر را کاهش دهد. این در حالی است که درباره چنین مواردی غالباً در نهادهای غیردولتی مانند Icann یا گروه ویژه مهندسی اینترنت (IETF) تصمیم‌گیری می‌شود.

< <https://peivast.com/p/143996> https://peivast.com/p/143996>

 

ماجرای دور زدن اینترنت ملی با فیلتر شکن گوگل outline vpn [+نحوه فعال‌سازی] [The Story of Bypassing the National Internet with Google Outline Vpn Filter Breaker [+How to Activate]]

... اوت‌لاین برای ایحاد ارتباط بین مشتری و سرور از پروتکل شدوساکس استفاده می کند. این برنامه اطلاعات را با رمز دنباله‌ی سالسا۲۰ (با کلید 256 بیتی) رمزگذاری کرده و با IETF Poly1305 احراز هویت می کند.

< <https://figar.ir/cinema-and-tv/shortnews/90056-google-outline-vpn-filter-breaker/> https://figar.ir/cinema-and-tv/shortnews/90056-google-outline-vpn-filter-breaker/>

 

**********************

SECURITY & PRIVACY

**********************

That thing to help protect internet traffic from hijacking? It's broken

An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, is broken, according to security experts from Germany's ATHENE, the National Research Center for Applied Cybersecurity.

< <https://www.theregister.com/2022/10/09/internet_traffic_routing_defense/> https://www.theregister.com/2022/10/09/internet_traffic_routing_defense/>

< <https://www.msn.com/en-us/money/other/that-thing-to-help-protect-internet-traffic-from-hijacking-its-broken/ar-AA12LSJ9> https://www.msn.com/en-us/money/other/that-thing-to-help-protect-internet-traffic-from-hijacking-its-broken/ar-AA12LSJ9>

 

The open internet repels its most insidious attackers. They’ll return

China and Russia have been colluding to try to get a Chinese Internet protocol, New IP, adopted as a global standard. It's needed, they say, to improve quality of service guarantees. (Oh, and by the way, it also lets countries take complete control of their national networks, adding user registration requirements and shutting off interoperability.)

< <https://www.theregister.com/2022/10/03/open_internet_opinion_column/> https://www.theregister.com/2022/10/03/open_internet_opinion_column/>

 

Cybersecurity Regulation: It’s Not ‘Performance-Based’ If Outcomes Can’t Be Measured

After Colonial Pipeline suffered a ransomware attack in May 2021 and took its 5,500-mile system offline for nearly a week, the Transportation Security Administration (TSA) issued a set of first-ever directives imposing mandatory cybersecurity requirements on pipeline operators. Industry balked, criticizing the rules for being too prescriptive. On July 21, 2022, the TSA issued a revised directive, heralded by the government and praised by industry for being “performance-based.”

< <https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured> https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured>

 

KINDNS initiative to improve mutual understanding and security of DNS among operators

The DNS is among the most crucial services in today’s Internet and yet is one of the most misunderstood by its operators. This has made the DNS a target for malicious activity.

< <https://blog.apnic.net/2022/10/05/kindns-initiative-to-improve-mutual-understanding-and-security-of-dns-among-operators/> https://blog.apnic.net/2022/10/05/kindns-initiative-to-improve-mutual-understanding-and-security-of-dns-among-operators/>

 

Routing security in Singapore

When we at the Internet Society published the ccTLD study in 2021 to measure how much content is hosted inside or outside economies based on measures such as latency and hop-count, it was evident that Singapore is popular for hosting content of all varieties, especially within the Asia Pacific region. As noted in the study, 68% of Singapore’s ccTLD, .sg, was hosted inside the economy. Malaysia also appeared in the data as a popular location abroad for hosting ccTLD content.

< <https://blog.apnic.net/2022/10/04/routing-security-in-singapore/> https://blog.apnic.net/2022/10/04/routing-security-in-singapore/>

 

us: CISA Kicks Off Cybersecurity Awareness Month

The Cybersecurity and Infrastructure Security Agency (CISA) kicked off Cybersecurity Awareness Month today, following a proclamation by President Biden designating October as a time for the public and private sectors to work together to continue raising awareness about the importance of cybersecurity and equip the American people with the resources needed to be safer and more secure online. Throughout October, CISA, in partnership with the National Cybersecurity Alliance (NCA), will focus on what it means to “See Yourself in Cyber” by highlighting the actions that all Americans can take to raise the baseline for cybersecurity across the country.

< <https://www.cisa.gov/news/2022/10/03/cisa-kicks-cybersecurity-awareness-month> https://www.cisa.gov/news/2022/10/03/cisa-kicks-cybersecurity-awareness-month>

 

Cybersecurity Awareness Month 2022: Enabling Multi-factor Authentication Key behavior: Multi-factor Authentication

In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password).

< <https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-enabling-multi-factor-authentication> https://www.nist.gov/blogs/cybersecurity-insights/cybersecurity-awareness-month-2022-enabling-multi-factor-authentication>

 

us: CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection

The Cybersecurity and Infrastructure Security Agency (CISA) issued today Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, that directs federal civilian agencies to better account for what resides on their networks.

< <https://www.cisa.gov/news/2022/10/03/cisa-directs-federal-agencies-improve-cybersecurity-asset-visibility-and> https://www.cisa.gov/news/2022/10/03/cisa-directs-federal-agencies-improve-cybersecurity-asset-visibility-and>

 

us: Cybersecurity Quarterly Fall 2022

The Fall 2022 issue of Cybersecurity Quarterly focuses on cyber defense strategies and actions, with articles discussing concrete actions to defend against ransomware; how our members help us determine our future offerings; best practices to stop attacks exploiting a common network administration tool; tips for hardening Windows servers using the CIS Benchmarks; guidance to develop an enterprise asset management policy; how we're making our security best practices more machine-friendly, and more.

< <https://www.cisecurity.org/insights/white-papers/cybersecurity-quarterly-fall-2022> https://www.cisecurity.org/insights/white-papers/cybersecurity-quarterly-fall-2022>

 

us: Collective Defense — Integrated cyber expertise hardens cybersecurity

As technology continues to advance, connecting people with information, each other, and the world, nation state cyber actors continually advance in skill and sophistication targeting all levels of the U.S. government, critical infrastructure, academia, industry, and U.S. allies. The threats that face our nation are critical and require partnerships across the public and private sectors to create a collective defense.

< <https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3176122/collective-defense-integrated-cyber-expertise-hardens-cybersecurity/> https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3176122/collective-defense-integrated-cyber-expertise-hardens-cybersecurity/>

 

Cybersecurity Regulation: It’s Not ‘Performance-Based’ If Outcomes Can’t Be Measured

After Colonial Pipeline suffered a ransomware attack in May 2021 and took its 5,500-mile system offline for nearly a week, the Transportation Security Administration (TSA) issued a set of first-ever directives imposing mandatory cybersecurity requirements on pipeline operators. Industry balked, criticizing the rules for being too prescriptive. On July 21, 2022, the TSA issued a revised directive, heralded by the government and praised by industry for being “performance-based.”

< <https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured> https://www.lawfareblog.com/cybersecurity-regulation-its-not-performance-based-if-outcomes-cant-be-measured>

 

ICANN Promotes Good Cybersecurity Practices During EU Cybersecurity Month by Samaneh Tajalizadehkhoob

October is the European Union's "Cybersecurity Month." We are using this event to highlight some of the ways our organization promotes good cybersecurity practices and helps make the Internet safer for everyone.

< <https://www.icann.org/en/blogs/details/icann-promotes-good-cybersecurity-practices-during-eu-cybersecurity-month-03-10-2022-en> https://www.icann.org/en/blogs/details/icann-promotes-good-cybersecurity-practices-during-eu-cybersecurity-month-03-10-2022-en>

 

A Tutorial on Addressing the Challenge of Modern DNS: For everyone that wants to know more

Earlier this year, our tutorial paper ‘Addressing the challenges of modern DNS: A comprehensive tutorial‘ was published. The paper was co-authored with colleagues at the University of Twente and sinodun. It describes the DNS from two perspectives: what the modern DNS actually looks like in practice, and what security challenges currently face the DNS. The paper is aimed at technical personnel who want to know more about the DNS, and at DNS specialists looking for somewhere to get started on a more detailed exploration of the subject – and thus perfect for everyone who wants to prepare for the KINDNS framework.

< <https://kindns.org/2022/08/a-tutorial-on-addressing-the-challenge-of-modern-dns-for-everyone-that-wants-to-know-more/> https://kindns.org/2022/08/a-tutorial-on-addressing-the-challenge-of-modern-dns-for-everyone-that-wants-to-know-more/>

 

**********************

INTERNET OF THINGS

**********************

EU Commission postponed AI treaty negotiations with further delays in sight

The European Commission has managed to postpone discussions on the Council of Europe’s treaty on Artificial Intelligence, with a view to obtaining a mandate to negotiate on behalf of the EU. Further delays might still follow as the bloc tries to get its act together.

< <https://www.euractiv.com/section/digital/news/eu-commission-postponed-ai-treaty-negotiations-with-further-delays-in-sight/> https://www.euractiv.com/section/digital/news/eu-commission-postponed-ai-treaty-negotiations-with-further-delays-in-sight/>

 

ITU J-FET 2022: Special Issue – Towards vehicular networks in the 6G era

This special issue (Vol. 3) includes seven novel contributions dealing with rising communication and networking technologies for vehicular networks, in a holistic fashion and at different layers, to meet the high expectations of the 6G era.

< <https://www.itu.int/hub/publication/s-jnl-vol3-issue2-2022/> https://www.itu.int/hub/publication/s-jnl-vol3-issue2-2022/>

 

PETIoT: PEnetration Testing the Internet of Things

Abstract: Attackers may attempt exploiting Internet of Things (IoT) devices to operate them unduly as well as to gather personal data of the legitimate device owners'. Vulnerability Assessment and Penetration Testing (VAPT) sessions help to verify the effectiveness of the adopted security measures. However, VAPT over IoT devices is an open research challenge due to the variety of target technologies and to the creativity it may require.Therefore, this article aims at guiding penetration testers to conduct VAPT sessions over IoT devices by means of a new Cyber Kill Chain (CKC) termed PETIoT. With its six essential steps, the novelty of PETIoT is that it is slimmer than its ancestors from the state of the art, yet complete for its application domain.PETIoT is demonstrated on a relevant example, the best-selling IP camera on Amazon Italy, the TAPO C200 by TP-Link, assuming an attacker who sits on the same network as the device's. Additional knowledge is generated in terms of four zero-day vulnerabilities found and practically exploited on this device, with medium impact by the CVSS standard. These new vulnerabilities are camera Denial of Service (DoS), motion detection DoS, motion detection breach and video stream breach. The application of PETIoT culminates with a home-made fix, based on an inexpensive Raspberry Pi 4 Model B device, for the last vulnerability.

< <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4239499> https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4239499>

 

The Internet of Things is still very messy. That could be about to change

Connectivity Standards Alliance (CSA), backed by Google, Amazon, Apple and more, has released the Matter 1.0 standard and certification program, which promises a unified smart home experience.

< <https://www.zdnet.com/home-and-office/smart-home/the-internet-of-things-is-still-very-messy-that-could-be-about-to-change/> https://www.zdnet.com/home-and-office/smart-home/the-internet-of-things-is-still-very-messy-that-could-be-about-to-change/>

 

The focus of the internet of things (IoT) must pivot to achieve health care potential

In many ways, internet of things (IoT) is a double-edged sword: connected devices are capturing huge volumes and varieties of data that can be mined for everything from potentially life-saving health care information to guidance toward peak athletic performance, but it is incredibly difficult to convert that raw data into truly meaningful and actionable insights.

< <https://www.kevinmd.com/2022/10/the-focus-of-the-internet-of-things-iot-must-pivot-to-achieve-health-care-potential.html> https://www.kevinmd.com/2022/10/the-focus-of-the-internet-of-things-iot-must-pivot-to-achieve-health-care-potential.html>

 

Matter’s Internet of Things standard, certification ready for developers

The consortium behind the Matter standard for the Internet of Things has officially approved the long-awaited standard. The open-source connectivity standard was built around a shared belief that smart home devices should seamlessly integrate with other systems and be secure and reliable.

< <https://techcrunch.com/2022/10/04/matters-internet-of-things-standard/> https://techcrunch.com/2022/10/04/matters-internet-of-things-standard/>

 

Matter 1.0 standard for IoT development announced

The Connectivity Standards Alliance (CSA), an international community of more than 550 technology companies committed to open standards for the Internet of Things, has announced the release of the Matter 1.0 specification and the opening of the Matter certification program.

< <https://itwire.com/your-it-news/home-it/matter-1-0-standard-for-iot-development-announced.html> https://itwire.com/your-it-news/home-it/matter-1-0-standard-for-iot-development-announced.html>

 

**********************

NEW TRANSPORT PROTOCOLS

**********************

If you need a TCP replacement, you won't find a QUIC one

Systems Approach Some might say there's a possibility QUIC will start to replace TCP. This week I want to argue that QUIC is actually solving a different problem than that solved by TCP, and so should be viewed as something other than a TCP replacement.

< <https://www.theregister.com/2022/10/07/quic_tcp_replacement/> https://www.theregister.com/2022/10/07/quic_tcp_replacement/>

 

Citrix Has Gone Private. Here’s What It Means for DevOps.

... We do a lot of work around optimizing the HTTP3 or QUIC Protocol, and with that, we will deliver the best experience for all internet-facing properties.

< <https://thenewstack.io/citrix-has-gone-private-heres-what-it-means-for-devops/> https://thenewstack.io/citrix-has-gone-private-heres-what-it-means-for-devops/>

 

Cybersecurity: cosa sono integrità e autenticità delle informazioni e come ottenerle [Cybersecurity: what are the integrity and authenticity of information and how to obtain it]

... Software e impronta dovrebbero rispettare il requisito dei canali differenti e la cosa in pratica si traduce nel fatto che i due file risiedono su server web differenti. L’uso del protocollo https, che impiega TLS, o di http/3 (che impiega QUIC), garantisce implicitamente l’integrità per cui, in tali situazioni, Alice invierà solo il file, mentre l’impronta sarà automaticamente aggiunta e verificata dai protocolli.

< <https://www.agendadigitale.eu/sicurezza/cybersecurity-cosa-sono-integrita-e-autenticita-delle-informazioni-e-come-ottenerle/> https://www.agendadigitale.eu/sicurezza/cybersecurity-cosa-sono-integrita-e-autenticita-delle-informazioni-e-come-ottenerle/>

 

Netzwerkanalyse mit Wireshark 4.0: Neue Filter fürs Haifischbecken [Network analysis with Wireshark 4.0: New filters for the shark tank]

... Neben einer Vielzahl überarbeiteter Protokoll-Dissektoren, wie einem vollständig unterstützten QUIC-Protokoll, kommen auch einige neue Dissektoren dazu. Darunter unter anderem die verschlüsselten Dateitransferprotokolle wie Secure File Transfer Protocol (sftp) und SSH File Transfer Protocol (SFTP), aber auch das in IEEE 802.1X Umgebungen zum Einsatz kommende Authentifizierungsprotokoll Protected Extensible Authentication Protocol (PEAP).

< <https://www.heise.de/news/Netzwerkanalyse-mit-Wireshark-4-0-Neue-Filter-fuers-Haifischbecken-7285720.html> https://www.heise.de/news/Netzwerkanalyse-mit-Wireshark-4-0-Neue-Filter-fuers-Haifischbecken-7285720.html>

 

**********************

OTHERWISE NOTEWORTHY

**********************

W3C DevMeetup report – Vancouver, 2022

Visual for the W3C Developer meetup, organized by W3C Developer Relations team, on 13 Sept. 2022, in Vancouver, Canada. The graphics represents Vancouver's skyline at twilightOn September 13, 2022, in Vancouver BC, Canada, the W3C developer relations team organized a developer meetup as part of the annual W3C TPAC2022 (Technical Plenary / Advisory Committee) week for the global Web community to coordinate the development of Web standards.

< <https://www.w3.org/blog/2022/10/w3c-devmeetup-2022-vancouver-report/> https://www.w3.org/blog/2022/10/w3c-devmeetup-2022-vancouver-report/>

 

US candidate beats Russian to secure top UN telecommunications job

On 29 September, member states of the International Telecommunications Union voted to elect Doreen Bogdan-Martin as the organisation’s next secretary-general. Bogdan-Martin—a US national who’s served in the ITU since 1994—was in contention for the top job with Rashid Ismailov, a former Russian deputy minister and executive at Huawei, Nokia and Ericsson.

< <https://www.aspistrategist.org.au/us-candidate-beats-russian-to-secure-top-un-telecommunications-job/> https://www.aspistrategist.org.au/us-candidate-beats-russian-to-secure-top-un-telecommunications-job/>

 

Labs gain official recognition for testing conformance with ITU standards

Testing labs can now obtain official recognition from the International Telecommunication Union (ITU) for their competence to test the conformance of products with ITU technical standards.

< <https://www.itu.int/hub/2022/10/labs-gain-official-recognition-for-testing-conformance-with-itu-standards/> https://www.itu.int/hub/2022/10/labs-gain-official-recognition-for-testing-conformance-with-itu-standards/>

 

RFC 9318 on IAB Workshop Report: Measuring Network Quality for End-Users

The IAB has published RFC 9318: IAB Workshop Report: Measuring Network Quality for End-Users. Abstract: The Measuring Network Quality for End-Users workshop was held virtually by the Internet Architecture Board (IAB) on September 14-16, 2021. This report summarizes the workshop, the topics discussed, and some preliminary conclusions drawn at the end of the workshop.

< <https://www.iab.org/2022/10/05/rfc-9318-on-iab-workshop-report-measuring-network-quality-for-end-users/> https://www.iab.org/2022/10/05/rfc-9318-on-iab-workshop-report-measuring-network-quality-for-end-users/>

 

China cracks down on citizens' anti-censorship tools with Great Firewall upgrades

China has reportedly upgraded its 'Great Firewall' to instigate a crackdown on Transport Layer Security (TLS) encryption-based tools that are used by citizens to evade the censorship system.

< <https://www.itpro.co.uk/business/policy-legislation/369250/china-reinforces-great-firewall-to-crack-down-on-anti-censorship-tools> https://www.itpro.co.uk/business/policy-legislation/369250/china-reinforces-great-firewall-to-crack-down-on-anti-censorship-tools>

< <https://www.techcentral.ie/china-cracks-down-on-citizens-anti-censorship-tools-with-great-firewall-upgrades/> https://www.techcentral.ie/china-cracks-down-on-citizens-anti-censorship-tools-with-great-firewall-upgrades/>

 

China upgrades Great Firewall to defeat censor-beating TLS tools

China appears to have upgraded its Great Firewall, the instrument of pervasive real-time censorship it uses to ensure that ideas its government doesn’t like don’t reach China’s citizens.

< <https://www.theregister.com/2022/10/06/great_firewall_of_china_upgrades/> https://www.theregister.com/2022/10/06/great_firewall_of_china_upgrades/>

< <https://www.msn.com/en-us/news/technology/china-upgrades-great-firewall-to-defeat-censor-beating-tls-tools/ar-AA12EeSY> https://www.msn.com/en-us/news/technology/china-upgrades-great-firewall-to-defeat-censor-beating-tls-tools/ar-AA12EeSY>

 

A complex network analysis of global Internet public peering

A significant and growing part of Autonomous System (AS)-level traffic exchanges takes place at Internet Exchange Points (IXPs). This type of interconnection is facilitated by PeeringDB, a database where network operators report information to find new peers.

< <https://blog.apnic.net/2022/10/06/a-complex-network-analysis-of-global-internet-public-peering/> https://blog.apnic.net/2022/10/06/a-complex-network-analysis-of-global-internet-public-peering/>

 

How Broadband Infrastructure Can Help Tackle Climate Change by Ben Crawford, CEO of CentralNic

Both the digital divide and the climate crisis are global issues that have a disproportionate impact on developing countries. I have previously written about the steps tech companies can take to help close the usage gap and support new internet users to share in the gains of the digital economy. However, I was interested to come across a report by Teddy Woodhouse for The Alliance for Affordable Internet (A4AI), an initiative of Tim Berners-Lee’s World Wide Web Foundation, that showed how sustainably closing the internet connectivity and usage gaps in low- and middle-income markets can also help in the fight against global warming. ... Greening this infrastructure will largely fall to policymakers to implement new standards for network construction, operation and maintenance, such as regulation that encourages shared infrastructure, access to a clean-as-possible electricity grid and fair tariffs on infrastructure usage and imports of green equipment.

< <https://www.forbes.com/sites/forbesbusinesscouncil/2022/10/07/how-broadband-infrastructure-can-help-tackle-climate-change/> https://www.forbes.com/sites/forbesbusinesscouncil/2022/10/07/how-broadband-infrastructure-can-help-tackle-climate-change/>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home